我们切换到了cloud-s4-sdk-pipeline的最新版本(21)。新功能可以使用,但是除了最新的依赖版本以外,我们还会收到 npm依赖审核错误。
调查结果摘要
• High Arbitrary File Overwrite vulnerability found in dependency "tar", see https://npmjs.com/advisories/803 for details.
• High Code Injection vulnerability found in dependency "js-yaml", see https://npmjs.com/advisories/813 for details.
• Moderate Regular Expression Denial of Service vulnerability found in dependency "mime", see https://npmjs.com/advisories/535 for details.
• Moderate Regular Expression Denial of Service vulnerability found in dependency "underscore.string", see https://npmjs.com/advisories/745 for details.
• Moderate Prototype Pollution vulnerability found in dependency "lodash", see https://npmjs.com/advisories/782 for details.
• Moderate Denial of Service vulnerability found in dependency "js-yaml", see https://npmjs.com/advisories/788 for details.
您有类似的问题吗?有解决方案吗?
答案 0 :(得分:1)
从v20到v21的主要变化之一是,我们现在正在审核可以在您的项目中找到的所有package.json文件(与whitesource扫描相同)。
我认为您的项目中就是这种情况,因此会弹出新的审计结果。
我建议您在package.json目录中本地执行npm audit --fix并提交生成的package-lock.json。如果这还不能解决您的问题,那么最后的解决方案是按照here